Cyber crime – a popular theme in TV and movies. The image that comes to mind is a dark room, green code scrolling across the screen, and the inevitable line “We’ve been hacked!”. It’s been played out on our screens, delivered with striking music, and dramatic acting.
Moving to the real world, the reality ransomware this is not a risk for just for government agencies, large public sector organisations, and multinational corporations. You could be fooled into thinking this is new threat, but the world’s first documented case of ransomware goes back nearly 40 years. The original demand? $189.
Fast-forward to today and this is now a multi-billion-pound criminal industry. This machine does not care who it targets or what the impact may be – it is all about maximising return on investment and profit. Given the scale and growth, the Home Office is now considering stepping into the battle with some of the toughest proposals to date.
So, let’s take a journey – from those floppy disks, all the way to the legislative moves being made right now, starting with what ransomware is:
- Ransomware is a type of malicious software (malware).
- It first blocks access to your computer systems and files.
- It then encrypts the data.
- And finally, a criminal will demand a ransom for its return.
It’s like a burglar breaking into your house, and instead of stealing your valuables and personal belongings they change the locks. You can see everything, but you can’t access it. They then demand a payment to unlock your home.
Where did it all begin?
In 1989, nearly 40 years ago, the first case of ransomware was recorded. A biologist mailed out around 20,000 floppy disks to AIDS researchers around the world. Hidden on the floppy disks was malicious code (malware).
After the user accessed the disk, the malware was installed on the computer. After 90 reboots the malware was activated, locking or ‘encrypting’ the computer. They were requested to send $189 to return access to their computer.
The ransomware in its original form was clumsy, given the name ‘the AIDS Trojan’ due to the first attack. It was crude, but effective – however, it was not without issue. The delivery vector relied on the postal system, and waiting for the user to reboot their computer 90 times.
The encryption it deployed was reversable. $189 to get your computer back is a small amount, but had they all paid, the criminal would have been better off to the tune of $3.8 million. Like any new technology and criminal act, it was ripe for development and improvement.
The 2000s: an era of experimentation
By the mid-2000s, cyber criminals were experimenting with stronger encryption and wider distribution. They began using RSA keys when the GPCode trojan was deployed, making it much harder to break the encryption.
The “police locker” scams appeared during the same period. In this scam, the user’s screen would freeze, with a message claiming to be law enforcement. They demanded a fine be paid via prepaid cards. It was far from elegant or sophisticated, but it worked. It demonstrated to criminals for the first time that fear could be just as powerful as technology and encryption.
2013: a game-changer
In 2013, everything changed. CryptoLocker appeared for the first time. This was the strongest encryption seen to date and demanded payment via bitcoin; untraceable, anonymous digital currency. They spread the attack through botnets, an army of computers controlled by the cyber criminals.
In 2017, the first large-scale attacks occurred – WannaCry and NotPetya – and the impact was catastrophic.
Let’s look at WannaCry first. It is believed to have started in the UK and Spain simultaneously. Within two hours the UK NHS reported widespread outages impacting hospitals and GPs. Within 12 hours, this spread to 99 countries, with 75,000 separate infections. In the next 24 hours, this rose to 200,000 computers in more than 150 countries.
At its peak, it was infecting around 10,000 computers an hour. This was down to a different method of deployment. It combined self-propagation, like a worm, not dependent on phishing or human action. Within 24 hours it became the largest ransomware outbreak in history.
One of root causes for such a widespread and fast infection rate was that many organisations had not deployed a patch that Microsoft had deployed two months earlier, leaving the known vulnerability as an open door to many computers across the world.
It was only stopped when a security researcher discovered a hidden kill switch and activated it. This slowed the outbreak within hours.
Like all things digital, it was only a matter of time before this evolved to be even more damaging. The world didn’t have to wait long, as six weeks later, NotPetya was deployed.
Considered the next chapter in the cyber criminal’s evolution of ransomware. This looked like ransomware, but it was more like a cyber weapon in disguise. The attack was designed to destroy data and cripple infrastructure, not to collect ransom payments.
The original target was Ukraine, specifically government offices, banks, and utilities, before moving on to multinational corporations. It was initially deployed via the compromise of a Ukrainian tax program. Again, this spread worldwide within hours. The payment link for the ransom didn’t work, which was the first indication this was a fake ransomware attack.
NotPetya was classified a ‘cyber warfare attack’. It was not the first of its kind, but it was the largest at the time of the attack. Ultimately, this was designed to destroy data and systems, rather than encrypt, meaning there was nothing to recover. Unlike WannaCry, there was no kill switch to stop the attack. However, it did use the same known vulnerability as a deployment mechanism.
WannaCry has been attributed to a criminal gang linked to North Korea and the estimated global cost was in the region of $4 billion. NotPetya’s origin was traced by to a state-sponsored cyber attack linked to Russia, with an estimated cost of between $10-$12 billion.
Target changes
The evolution continued. Post-WannaCry and NotPetya, criminals stopped chasing individuals and started targeting organisations. Anyone was fair game – hospitals, schools, councils, utilities, and manufacturers just to name a few.
The advancement of encryption left many with no choice other than to pay the ransom. At this time, larger organisations started to see the real value in backups and keeping them away from their operating infrastructure to stop cyber criminals encrypting them too. Other than paying the ransom, the only other way to recover was to rebuild from your backup.
During this period, the emergence of double extortion emerged; a fee to decrypt the data, and a payment to stop data being published online. This is still true of many ransomware attacks today.
It was becoming clear that these were no longer hackers in hoodies, but rather they were large-scale criminal gangs operating more like multinational corporations. This included operating with affiliates, outsourcing services, providing customer support, and even profit sharing.
The current landscape
Ransomware is still one of the most common types of cyber attack, and they are more brutal than ever. Triple extortion is emerging as criminals add on other attacks such as DDoS or directly contacting your customers or partners to put more pressure on you to pay the ransom.
A DDoS (Distributed Denial of Service) attack is when lots of computers all try to access the same website, server, or network at once, overwhelming it so that legitimate users can’t get through. It is like thousands of people crowding a single entrance, stopping real customers from entering.
- Exploited vulnerabilities are the most common root cause (36%) of cyber attacks in the UK.
- Email remains the number one delivery method (20%) worldwide.
- The supply chain is a stepping stone method, starting with a smaller, easier-to-access target and moving through the supply chain to reach the big fish.
- Stolen or compromised credentials (19%) are another common way the criminals are gaining access to your systems and data.
Cyber criminals are also leveraging AI, just as the rest of the world is. They are already using AI language models to make communication more real and personalised, as well as using AI technology on the dark web to design and deliver cyber attacks. It is removing the need to be a specialist to perform these attacks.
Ransomware as a service is very much alive, this is where a criminal will pay for the services of a specialist to deploy and manage the attack. Very much like any legal outsourced service we see across the world.
Any organisation is fair game, including critical infrastructure and services as well as not for profit and charities. As a result, the UK government is no longer watching and moving to a more active position.
The UK Home Office consultation
The UK Home Office complete a public consultation on ransomware between January and April 2025.
Three big ideas for changes were shared:
Ban ransom payments by public sector organisations and operators of critical national infrastructure.
Require private businesses to notify the government if they intend to pay, with mandatory pre-checks taking place.
Introduce a mandatory incident reporting regime – potentially requiring notification within 72 hours of an attack.
In July, the government confirmed it will move ahead. What is the potential impact of such changes? It would make it illegal for public sector organisations, schools, hospitals, and local councils to make ransom payments.
While the private sector won’t be banned outright, they will have to notify the government before they make payments. It could require checks to be performed, and some payments maybe identified as illegal due to sanctions for Russia, for example.
It is being viewed carefully across the globe, and it is considered to be the most aggressive stance and action against ransomware anywhere in the world. However, it will not be without challenges. 96% of UK business leaders support such a ban, while 75% of them admitted they would be willing to risk criminal penalties if it meant saving their company.
If action is not synced with stronger resilience, better recovery tools, and fast government support, it could leave many organisations with no alternative other than to break the rules and pay the ransom.
This is sure to drive change and more evolution in the criminal world if their income is reduced through bans. Just like any other business, they will need to find new revenue streams. As they pivot, this could increase pure data theft and resale, as well as other extortion methods. This signals that ransomware is no longer a technical battle anymore – it is a legal, political, and economic one.
The good news
Proactive action is showing positive results.
- Continued reduction in payments. In 2025, it is being reported than only 17% UK businesses paid any ransom. This was around 27% in 2024 and 44% in 2023.
- 57% of organisations recovered from their backups, avoiding any payments.
- 72% of businesses have air-gapped backups (isolated from their network).
- 59% employ immutable (unchangeable) backups.
- 24% have a formal “zero pay” policy in place.
This does come with a downside, however. Like any business when a revenue stream is reduced or cut off, an evolution and adaption is needed. Cyber criminals are no different. This has resulted in an increase in ransom demands amounts of more than double, with the UK median now being £3.9 million. UK organisations on average pay 103% of the ransom, while the global average is 85%.
What started as $189 to be sent to a Panama PO Box has transformed into a billion-dollar business. The UK government is signalling that is it going to a take an aggressive, practical stance to disrupt this. In the meantime, cyber criminals continue to target UK businesses.
Ransomware has evolved, and so must your defences. At Net-Defence, we help organisations build true cyber resilience through proactive security strategies, robust data protection, and expert recovery planning. Don’t wait for an attack to expose the gaps – strengthen your security posture today with Net-Defence’s cyber resilience services.
Unsure of where to start? Get in touch with our team and we can help you understand where your vulnerabilities lie and how to best address them.
Unsure of where to start? Get in touch with our team and we can help you understand where your vulnerabilities lie and how to best address them.
